Managing allowed URLs

Tanium as a Service deployments include a customer-specific proxy server that allows the destinations that are required for Tanium modules to work. To request additional allowed entries, consult your Technical Account Manager (TAM).

The URL expressions that you configure on the Administration > Management > Allowed URLs page control how the Tanium Server handles file downloads that the Tanium Client requests from Internet URLs. When the Tanium Client executes content (such as action packages or sensors), the script associated with that content might request a file from an Internet URL. The Tanium Client API uniquely identifies the download by URL, including file name. For security, the Tanium Client sends a message to the Tanium Server, which checks the requested URL against its lists of package file URLs and allowed URLs. The package file URLs are known URLs that the package author specified. You use the allowed URLs to account for dynamic URLs, such as URLs that a Tanium Client script computed. If the URL does not match either list, the request fails.

The first time the Tanium Server handles a Tanium Client file download request that passes the allowed URLs check, the server downloads the file and stores a temporary package file and metadata so that it can distribute the file to endpoints (see Tanium Client User Guide: File distribution). The allowed URLs configuration includes settings that affect how often the Tanium Server checks for changes to the requested URL files and how often the server clears temporary files.

You must be assigned a role with the Write Allowed Urls (micro admin) permission to create, modify, or delete the allowed URLs configurations. Users that are assigned to the Administrator reserved role have this permission.

Add allowed URLs

  1. From the Main menu, select Administration > Management > Allowed URLs.
  2. Click New URL Expression.
  3. Configure the following settings.
  4. URL/regular expression Specify a URL. You can use a regular expression to allow multiple files from a base URL. For example, to allow any download from www.microsoft.com, use the following regex:

    http\:\/\/www\.microsoft\.com\/.*

    Note that the value is case sensitive. For example, the regex https\:\/\/192\.0\.2\.1\/abc\.csv allows https://192.0.2.1/abc.csv but not https://192.0.2.1/ABC.csv. The regex to allow both files is https\:\/\/192\.0\.2\.1\/abc|ABC\.csv.

    When a Tanium Client initiates a download that passes this check, the Tanium Server downloads the file so that it can distribute it to Tanium Clients through the linear chain.

    Download Interval Specify an interval at which the Tanium Server checks the URL for changes to the requested file. The default is every 6 hours. If the check indicates there are changes to the file, the Tanium Server updates its copy of the file and restarts the expiration clock. For URLs that are specified regular expression, a timer is maintained for each match.
    Expiration

    Specify the interval for clearing stale packages. The default is seven days. This means that the Tanium Server deletes files that it has not downloaded and that Tanium Clients have not requested in the past seven days. If a Tanium Client subsequently requests the URL, the Tanium Server downloads it again and resumes the update checks. For URLs that you specify with a regular expression, the Tanium Server maintains a timer for each match.

  5. Save the configuration.

Import or export an allowed URLs configuration

You can use the import and export features to facilitate migration from a lab environment to a production environment.

Export specific configurations

  1. Select one or more rows in the table and click Export in the toolbar above the table header.
  2. Enter a File Name or accept the default, and then click OK. The Tanium Server exports the JSON file to the Downloads folder on the system you use to access the Tanium Console.

Export the complete allowed URLs configuration

  1. Click Export All in the table header.

    Alternatively, or if you want to export other configuration objects in addition to allowed URLs, go to any Administration > Content or Administration > Permissions page, click Export Content at the top right of the Tanium Console, select Allowed URLs and any other object types, select the Export Format (JSON or XML), and click Export.

  2. Enter a File Name or accept the default, and then click OK. The Tanium Server exports the JSON file to the Downloads folder on the system you use to access the Tanium Console.

Import a configuration

You can import files that are in JSON or XML format.

  1. Digitally sign the content file and ensure a public key is in place to validate the signature, as described under Authenticating content files.
  2. From the Main menu, select any Administration > Content or Administration > Permissions page and click Import Content at the top right of the page.
  3. Click Choose File, find and select the configuration file, and click Open.
  4. Click Import. If object names in the file are the same as for existing objects, the Tanium Console itemizes the conflicts and provides resolution options for each one.
  5. Select resolutions for any conflicts. For guidance, see Conflicts and Best practices, or consult your TAM.
  6. Click Import again, and click Close when the import finishes.